SSL Decryption Implementation

It is essential to understand that SSL and TLS traffic accounts for approximately 30-50% of internet traffic across organizations. Why is this important? Because locking your front door, while leaving the back door open doesn’t help secure your house. Similarly, inspecting unencrypted traffic while letting encrypted traffic pass through your network untouched does little to secure your network. This is where SSL Decryption on a Palo Alto Networks firewall can step in and help lock the back door.


BEFORE YOU BEGIN


1) Important Considerations:

   a) Prior to enabling SSL Decryption, users should be informed that there is no expectation of privacy on the corporate network
   b) Decryption can cause some applications to break. It is important that testing be done with a sample group prior to enabling SSL decryption across your network.

2) This guide assumes the organization has an internal Microsoft Certificate Services infrastructure in place.


PHASE 1 – CERTIFICATES ON PALO ALTO NETWORKS FIREWALL


1) Log into firewall and navigate to Device > Certificates

2) Click Import

3) Provide certificate name (whatever desired) and root CA certificate file. Click OK.

alt text

4) Click Generate

alt text

5) Provide your PAN’s subordinate CA certificate name (whatever desired), common name, and change Signed By to External Authority (CSR). Click Generate.

alt text

6) Select the box next to your newly generated CSR and click Export. Your browser should prompt you to download a CSR file.

alt text

7) Open the CSR file with your preferred text editor and copy the entire contents to your clipboard.

alt text

8) Browse to your Microsoft AD Certificate Services server via the url https://servername/certsrv. It may prompt you for credentials. You need to provide AD credentials that have the Enroll permissions to the Subordinate Certification Authority certificate template. If it did not prompt for credentials, it likely used the logged in user’s credentials.

alt text

9) Click advanced certificate request.

alt text

10) Paste the contents of the CSR from step 7 into the Saved Request box. Ensure the Certificate Template is set to Subordinate Certification Authority and click Submit.

alt text

11) Select Base 64 encoded and click Download certificate.

alt text

12) Save the file along with your CSR. This file needs to be secured as it holds both the private and public key and can provision certificates on your domains behalf.
It is critical that this file not be compromised and should be deleted once uploaded to the Palo Alto firewall.

alt text

13) Click Import.

alt text

14) Provide the certificate name used in step 5 and path to the certificate file from step 12. Click OK.

alt text

15) You should see the new certificate indented underneath the root CA certificate that was imported earlier. Click the name of the certificate (in this example, PA-200 CA).

alt text

16) Check Forward Trust Certificate and Forward Untrust Certificate and click OK.

alt text

17) Verify the certificate usage reflects the two roles assigned as pictured below.

alt text

18) This completes the certificate portion of the SSL Decryption Implementation


PHASE 2 – SSL DECRYPTION PROFILE AND POLICIES


1) Log into firewall and navigate to Objects > Decryption Profiles. Click Add.

alt text

 A) Digital Scepter recommends two different Decryption Profiles:

  i.IT_Decrypt – Allows access to sites with expired and untrusted certificates. Recommended only if accessing off site resources with untrusted, self-signed certificates. If this is not the case, you can avoid usage of this decryption profile.

alt text

alt text

alt text

alt text

alt text

  ii.User_Decrypt – Blocks access to sites with expired and untrusted certificates. Users do not have the option the usual option to accept these certificates and proceed.

alt text

alt text

alt text

2) Navigate to Policies > Decryption. Click Add.

alt text

3) Create a policy as seen in the image below with the following settings:

alt text

  a) Name Protect Confidential
  b) Source Zone Inside
  c) Destination Zone Outside
  d) URL Category financial-services and health-and-medicine
  e) Options No Decrypt

4) Create two more policies as seen in the image below with the following settings:

alt text

 a) Policy 1

  i) Name Decrypt IT Outbound

  ii) Source Zone Inside

  iii) Source Address and User (Your IT Department Subnet) and (Your IT Department AD Group)
Digital Scepter recommends configuring both of these, but at a minimum the source user should be specified

  iv) Destination Zone Outside

  v) URL Category any

  vi) Options
   1) Decrypt
   2) Type SSL Forward Proxy
   3) Decryption Profile IT_Decrypt

 b) Policy 2

  i) Name Decrypt User Outbound

  ii) Source Zone Inside

  iii) Destination Zone Outside

  iv) URL Category any

  v) Options

   1) Decrypt
   2) Type SSL Forward Proxy
   3) Decryption Profile User_Decrypt


This should leave your firewall configured with three Decryption policies. The first instructs the firewall not to decrypt two URL categories that are deemed safe and confidential: financial-services and health-and-medicine. The second provides outbound decryption for IT staff with the less restrictive decryption profile allowing for expired and untrusted certificates. The third provides outbound decryption for all other users with the more restrictive decryption profile that blocks expired and untrusted certificates.